init-storage: Copy file contexts from rootfs

Apparently, BusyBox's `cp` does NOT copy SELinux contexts when the `-a` argument is specified. This differs from GNU coreutils's `cp`, and explains why the files copied from the rootfs image to the persistent storage volume were not being labelled correctly. The `-c` argument is required. Now that files are labelled correctly when they are copied, the step to run `restorecon` is no longer necessary.
2023-03-14 14:39:22 -05:00 · 2023-03-14 14:39:22 -05:00 · 292a4d2268
parent 31d8a98f64
commit 292a4d2268
3 changed files with 32 additions and 16 deletions
--- a/overlay/usr/lib/systemd/system/restorecon.service
+++ b/overlay/usr/lib/systemd/system/restorecon.service
@ -1,15 +0,0 @@
 [Unit]
 Description=Restore SELinux file contexts in /var
 ConditionNeedsUpdate=/var
 DefaultDependencies=no
 After=local-fs.target
 Before=sysinit.target
 Before=systemd-tmpfiles-setup.service
 Before=systemd-update-done.service
 [Service]
 Type=oneshot
 ExecStart=/usr/sbin/restorecon -RFv /var
 [Install]
 WantedBy=sysinit.target
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@ -16,7 +16,7 @@ copy_var() {
    echo 'Copying /var contents to data volume'
    mount -o subvol=var "${dev}" "${tmpdir}" || exit
-    cp -auv /var/. "${tmpdir}" || exit
+    cp -acuv /var/. "${tmpdir}" || exit
    umount "${tmpdir}"
 }
--- a/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
+++ b/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te
@ -30,6 +30,7 @@ init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
 allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
 allow aimee_storinit_t self:capability { chown fsetid sys_admin };
 allow aimee_storinit_t self:process { setfscreate };
 manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
 manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
@ -55,7 +56,13 @@ gen_require(`
 ')
 dontaudit aimee_storinit_t mount_runtime_t:dir write;
 seutil_read_config(aimee_storinit_t)
 seutil_read_file_contexts(aimee_storinit_t)
 kernel_rw_unlabeled_dirs(aimee_storinit_t)
 kernel_relabelfrom_unlabeled_dirs(aimee_storinit_t)
 files_manage_var_dirs(aimee_storinit_t)
 files_relabel_var_dirs(aimee_storinit_t)
 files_manage_var_files(aimee_storinit_t)
 files_manage_var_symlinks(aimee_storinit_t)
@ -70,29 +77,53 @@ gen_require(`
 	attribute logfile;
 ')
 manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
 relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
 manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
 relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
 manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
 manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
 manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
 relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
 manage_files_pattern(aimee_storinit_t, logfile, logfile)
 relabel_files_pattern(aimee_storinit_t, logfile, logfile)
 manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
 manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
 relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
 manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
 relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
 ########################################
 #